Re: SQLite CVE-2015-6607 (Escalation of privilege issue )

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6607>
> It mentions the escalation of privilege attack in Android due to an
> internal bug in SQlite
>
> We use SQLite distributed with Android in our application and use the
> normal Android APIs for SQLite Access .And use it for our CRUD operations.
>
> I did not find any more details about this bug so would like to know in
> this list if this is a problem.

SQLite 3.8.9, which according to the announcement fixed the relevant bug, was released in April 2015, which is now two years ago.

As described in the report, if you’re still using a version of Android before 5.1.1 the bug will still effect the platform.

> Would like to know if the same vulnerability applies for Windows universal
> platform as well.

SQLite is not built into that platform. If you wish to use SQLite on WUP yourself, just make sure you include a current version, not a two year old version.

>
> On 17 Apr 2017, at 9:56am, Saurav Sarkar <[hidden email]> wrote:
>
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6607> >
> > It mentions the escalation of privilege attack in Android due to an
> > internal bug in SQlite
> >
> > We use SQLite distributed with Android in our application and use the
> > normal Android APIs for SQLite Access .And use it for our CRUD
> operations.
> >
> > I did not find any more details about this bug so would like to know in
> > this list if this is a problem.
>
> SQLite 3.8.9, which according to the announcement fixed the relevant bug,
> was released in April 2015, which is now two years ago.
>
> As described in the report, if you’re still using a version of Android
> before 5.1.1 the bug will still effect the platform.
>
> > Would like to know if the same vulnerability applies for Windows
> universal
> > platform as well.
>
> SQLite is not built into that platform. If you wish to use SQLite on WUP
> yourself, just make sure you include a current version, not a two year old
> version.
>
> Simon.
> _______________________________________________
> sqlite-users mailing list
> [hidden email]> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users>

I don't know anything about this. It is the first I've heard of it.
I could not figure out what it has to do with SQLite based on the link
above. My assumption this is some kind of bug in the Android
interface to SQLite, not in SQLite itself.

Re: SQLite CVE-2015-6607 (Escalation of privilege issue )

> Can you please also let me know how this bug can be exploited in an
> application.

The problem was apparently spotted as a theoretical vulnerability and no demonstration code was submitted. It was never reported to the SQLite development team, so the team has no record of what was wrong, what it did, or how to exploit it.

From what I can see, it affected only versions of Android before Android 5.1. It allowed an application with exploit code in, if given sufficient privilages, to modify certain system files. I don’t know which files it could modify or what damage could be done that way. If you can find discussion of the problem or demonstration code I think it would be welcome here.

>
> On 17 Apr 2017, at 10:35am, Saurav Sarkar <[hidden email]>
> wrote:
>
> > Can you please also let me know how this bug can be exploited in an
> > application.
>
> The problem was apparently spotted as a theoretical vulnerability and no
> demonstration code was submitted. It was never reported to the SQLite
> development team, so the team has no record of what was wrong, what it did,
> or how to exploit it.
>
> From what I can see, it affected only versions of Android before Android
> 5.1. It allowed an application with exploit code in, if given sufficient
> privilages, to modify certain system files. I don’t know which files it
> could modify or what damage could be done that way. If you can find
> discussion of the problem or demonstration code I think it would be welcome
> here.
>
> Simon.
> _______________________________________________
> sqlite-users mailing list
> [hidden email]> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users>